OPENSSL配置文件路徑/etc/pki/tls/openssl.cnf
OPENSSL配置文件中CA配置項
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem-
建立CA
cd /etc/pki/CA (umask 077;openssl genrsa -out private/cakey.pem 2048 ) #生成CA私鑰 openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 #生成CA自簽名證書 > index.txt #建立CA數據庫(默認此文件不存在) echo 09 > serial #默認此文件不存在,編號數字爲16進制 - 申請證書
(umask 066;openssl genrsa -out /test/app.key 1024) openssl req -new -key /test/app.key -out /test/app.csr #生成證書申請 - 頒發證書
openssl ca -in /test/app.csr -out /etc/pki/CA/certs/app.crt -days 100 - 吊銷證書
openssl ca -revoke newcerts/0B.pem openssl ca -status 0B echo 09 > crlnumber openssl ca -gencrl -out /etc/pki/CA/crl.pem